Detection Engineering for Windows

This training will take place on further notice. Signing up is possible. We will notify you afterwards with the new date. 

Detection engineering is a method to build and improve your detection capabilities. The Detection Engineering for Windows training brings you up-to-speed in two days.

To help building proper analytics and automated detection capabilities requires an understanding of the techniques and tooling an attacker utilizes, the various options they can use, and what kind of indicators can be extracted from them. This process is called Detection Engineering and it is a *crucial* factor in the whole chain to be truly effective in being able to catch any attacker in your network.

Additional to a solid prevention program, you will have the need for visibility of attacks. This requires developing solid detections. Regardless of the form (a hunt, an alert rule, or some other form of risk-based trigger), detection engineering entails a lot more than randomly digging through data or copy pasting queries you've found on the internet.

This 2-day training focuses on the whole detection engineering cycle, from defining an analytic to researching the relevant techniques to building the detection logic, researching which logs can be utilized and validating its resilience in attempts to bypass it.

Log data obviously has a very important role here; getting to know your data in-depth and understanding what a system can generate will allow you to focus your detective capabilities as well as utilize your data as efficient as possible. After executing multiple variants of an attack, we will examine all available data to see what kind of indicators were generated and which ones are of use with an acceptable false positive rate. This might involve more data than an organization generally onboards. In some cases, the data can be onboarded while in other cases the risk will have to be accepted due to a high volume or false positive rate.

This training consists of several hands-on exercises for the students to get used to the detection engineering methodology and to start implementing this in their organizations.


This training is powered and delivered by FalconForce


Day 1 - Pre-Hunt activities
  • Introduction
  • Detection engineering principles
  • Different drivers of looking at your data
  • Using and understanding MITRE ATT&CK
  • Understanding your adversaries and their techniques
  • Understanding and assessing (your) data
  • Information resources
  • Using threat information
  • Exercise: Research a technique and assess your visibility
  • Data sources and tooling
  • Exercise: Defining analytics based on threat information
  • Define the analytic
  • Exercise: Executing your analytic(s)
  • Manual versus automatic analytics, when to apply which one
  • Reporting your findings
Day 2 - Building your detection engineeering
  • Recap day 1
  • Detection Resilience
  • Exercise: Revisiting your analytic(s) and testing their resilience
  • Risk based events, correlation in a modern way
  • Exercise: Develop risk driven alerts
  • Setup and Splunk intro
  • Threat Hunting Splunk application, an introduction
  • Additional analytical tooling
  • Threat briefing
  • Collaborative CTF Style lab
  • Findings evaluation session
  • Validation of your results
  • Drinks and end
  1. Laptop with a modern browser;
  2. VMWare, VirtualBox or Parallels installed.
  3. 16Gb RAM / 30GB diskspace

More preparations and relevant documentation will be shared with the students in advance of the training.

Why is your material different, innovative, and/or significant?

Educating people to not just trust the information they find online, which is often incomplete. They will learn to build their own research workflow, document this and create a solid investigative workflow. We believe that by doing so, we are able to create a new generation of specialists that contribute to a more resilient digital society.

What tools are used during your training (if applicable)?

  • Loads of windows applications
  • PowerShell scripts
  • Splunk
  • Windows 10 Virtual Machine
  • Sysmon

Has this training been given anywhere else? If so, where?

This is a newly developed training, based on years of experience from our trainers. The content was been used in a Threat Hunting workshop held at DefCon Las Vegas 2019, in addition it was selected for Troopers2020, one of the most relevant conferences for Detection Engineering and Threat Hunting.


BCN Arena, Next to Amsterdam Arena Trainstation
Atlas Arena Complex
Building Azië - 5th level
Hoogoorddreef 5
1101 BA Amsterdam
Phone: 020 - 5 677 980


For this two day training we charge € 1500,- per participant, excluding taxes.


8:30 - 9:00Walk in with coffee and tea
9:00 - 12: 00Course
12:00 - 13:00Lunch
13: 00 - 17:00Couse
17: 00 - 18:00Drinks (not obligated)


  1. Olaf Hartong Olaf Hartong Co-Founder & Defensive specialist @ FalconForce

    Olaf Hartong is a Defensive Specialist and security researcher at FalconForce. He specialises in understanding the attacker tradecraft and thereby improving detection. He has a varied background in bl..

    Meer over Olaf Hartong

    Bekijk op Linkedin

  2. Gijs Hollestelle Co-Founder & Security specialist @ FalconForce

    Gijs is an Offensive Specialist at FalconForce, with an affinity for Defense. He has over 15 years of experience in digital security, with a long track record in red teaming, advanced security testing..

    Meer over Gijs Hollestelle

    Bekijk op Linkedin